[BlueOnyx:26063] Re: BlueOnyx Webserver Performance a.k.a. the impact of "open_basedir"

Michael Stauber mstauber at blueonyx.it
Mon Apr 3 11:07:57 -05 2023 

Hi Tobias,

> thanks for looking into it. I was really suprised by your perfomance 
> measures. But I found there is a difference in commenting out the 
> open_basedir option and disabling it by setting it to the value "Off". 
> When disabling the php process gets the server wide setting, which isn't 
> off.

You're right. I just tested it with a <? phpinfo(); ?> page in the Vsite 
where I had commented out open_basedir. It was then indeed using the 
server wide defaults.

> Please repeat your test with "php_admin_value[open_basedir] = Off". I am 
> sure you will see the difference.

Done. Same setup as before.

A "naked" standard template Wordpress Vsite with open_basedir disabled 
loads around 25-30 milliseconds faster. The one with open_basedir takes 
1.3s to load, the one without needs around 1.00-1.05s to load.

It's still not *that* much of a difference, especially considering that 
the standard Wordpress template need around 0.340-0.355 seconds to just 
load its SourceSerif4Variable-Roman.ttf.woff2 font.

> The website I just tested (a real 
> world wordpress with lots of content and plugins installed) just took 5 
> seconds before and less than 1 second after the change..
That is interesting and it sure is a difference. It made me curious 
enough to use a real life example as well: www.blueonyx.it

It's not using Wordpress, but a CMS system that is equally (but not 
quite) as bloated as Wordpress. I switched the PHP implementation to 
suPHP to have an easier time to fiddle with the php.ini

First test:

Made sure with phpinfo() that it was set to our Vsite defaults.

Load times? Varied between 3.10-5.81. The worst I got was 8.01s.

Second test:

open_basedir = off

Made sure with phpinfo() that it was reporting "no value"

Load times? Also all over the place. The worst I got was 10.87 seconds, 
followed by a 10.02 seconds, but usually between 2.61 seconds and 3.67 
seconds. Best I ever got was 2.42 seconds.

Like said: This was with suPHP and we usually use DSO+mod_ruid2 for that 
Vsite. Couldn't try PHP-FPM, as that would have impaired a certain 
functionality of the site.

So does open_basedir have a discernible impact? I'm leaning towards yes 
and I agree that the severity of the impact has something to do with the 
code quality and complexity and that also implies that Wordpress sure 
may be affected stronger than most other applications. Especially with 
respect to its modularity, which requires more include calls the more 
modules are active.

Would I be comfortable turning open_basedir off on a Wordpress site? My 
personal answer to that would be a definite and emphatic "HELL NO!!!", 
just because what a piece of often exploited hot garbage Wordpress is. 
Its incredibly large market share makes sure that it gets a lot of 
attention and every tiny fault or code error in Wordpress or its many 
popular modules are quickly identified and exploited by a plethora of 
different attackers. Turing open_basedir off on a Wordpress site is just 
making it much easier for an attacker to reap more benefits from his hack.

On the other hand: I understand that we may need to allow people to make 
their own informed decisions and that there may be scenarios (good 
backups, server just used for a single client/purpose) where the speed 
increase and the associated greater risk are an acceptable risk.

And allowing "open_basedir" to be set to "off" via the GUI on a per 
Vsite basis isn't too complicated of a change in the existing code.

So I'll be looking at that in the coming days and will let you know once 
it's possible to do it.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list